CVE-2022-43332: GitHub - maikroservice/CVE-2022-43332: Cross Site Scripting in WonderCMS v3.3.4

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

• Use Git or checkout with SVN using the web URL.

• Open with GitHub Desktop

• Download ZIP

Latest commit

Files

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

CVE-2022-43332

Cross Site Scripting in WonderCMS

Description: A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows potential attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration Panel - coupled with the fact that the cookie has no HttpOnly Flag this could be used to steal cookies of logged-in users.

How to Reproduce: To reproduce one can download the zip file provided at wondercms.com (3.3.4), unzip it to a web server and after login with the password provided on the homepage in the settings menu the title can be adjusted - the vulnerability can be triggered with the following payload: <script>javascript:alert(document.cookie)</script>